Here are some more comments:
1. You application should use the appAuth Libraries for OpenID Connect Authentication. - list text hereWeb Views is not secure. See these best practices:
- [IETF Draft on mobile oauth2 best practices](http://www.gluu.co/mobile-oauth2
- [AppAuth Android Client](http://www.gluu.co/app-auth-android)
- [AppAuth IOS Client]([http://www.gluu.co/app-auth-ios)
2) When you call the authorize endpoint during the authentication request, make sure you specify the acr that corresponds to the "Name" of the custom authentication script.
3) I recommend looking up the mobile number for the person in LDAP, sending a random code to the person's mobile--writing that code to the pre-authentication session context for that browser. In the sample scripts, you'll see :
```
context = Contexts.getEventContext()
context.set("variable", "x")
context.get("variable")
```
Once you've authenticated the person, you'll have a session in the browser which can be used by any app or even the browser for SSO.
It is highly recommended that you review the OpenID Connect Specs, especially the implementers guide on [http://openid.net/connect](http://openid.net/connect)
Note, for secure mobile authentication, you'll also have to use PKCE.
If you need priority support, I suggest TechMahindra of the end client purchase a commercial Gluu Support subscription.